Preparing the launch of a new app from the (data) security perspective

Our company is currently preparing the launch of a new mobile app. This means stress throughout the whole company. Marketing has to prepare all the campaigns and their tracking, the associated website has to be designed and tested, the management is constantly in contact with various agencies and the funders and that the developers hardly have a quiet minute, you can imagine for sure.

I'm in the exciting position to be able to be involved everywhere. After all, there is hardly any department in which data protection is not somehow involved. Not only does the data of future users have to be stored and processed in accordance with the legal regulations on data protection, for which I check the server setups and make sure that things like encryption are implemented properly, also things like the terms of service, the privacy statements on the website and in the app, contracts and NDAs with external service providers, or how our customer support should handle requests from users in the future are also topics that come on my desk. Even the marketing department has to reckon with me rapping them on the knuckles if they try to link personal data with their tracking data, what I also monitor. And yes, also the cleaning women in our office is not allowed to access all areas in the office and I'm responsible to ensure she can't do it by defining rules for our employees how they have to handle access requests from other departments or strangers and ensuring appropriate locking systems are installed in the doors and the HR department handles the key distribution correctly.

In short, I have to have my eyes and ears pretty much everywhere. Beside that, I'm creating the data processing activities index, document data flows, creating the data protection impact assessment for the app, and also my usual activities like checking and updating our internal policies and concepts, the risk management for our company (not only for data security but also for business continuity and so on), auditing the IT systems we use etc. need to be done.

But that's exactly what I enjoy so much about my position. Whereas I used to focus almost exclusively on the IT department (apart from the startups I was involved with in the early stages, where you always have to help out in other areas anyway) in my previous positions, in my role as CISO I gain insight into all areas of our company, starting with our office management and ending with the top management, of which I'm now also a part of. I find it exciting to get this overall view of how a company like this works and how all the employees work together like the parts of a well-oiled clockwork. And at the end of the day, you look at the day's work in amazement and see how much has been accomplished in so few hours. If you ever want to run your own company, I can recommend working in the security department of an IT company for a while. Afterwards, you will have much more understanding for the worries and fears of the employees, from the cleaning lady up to the department heads and C-level managers.


You'll only receive email when they publish something new.

More from FF-Sec